Duco Digital

View Original

What Data Protections Skills Does A Data Protection Officer Need?

Article 37 GDPR states: “The appointment of the Data Protection Officer is based on professional competence, in particular a thorough knowledge of data protection law and practice, and the ability to carry out the task.” Many experts agree that the DPO should be a licensed attorney, not only sufficient knowledge of GDPR, but also of other privacy laws that are important to employers. While in-depth knowledge of the General Data Protection Regulation and experience with national and European data protection legislation is required, the Regulation does not define the specific qualifications a DPO must possess. This means that under the GDPR, the DPO must have a certain level of knowledge of data protection legislation, depending on the type of processing performed and the security measures required. As a security agency, the DPO is responsible for achieving sustainable compliance, especially for companies that collect and process large amounts of data.

   

A DPO acts as a key intermediary between organisations, authorities, and data subjects (those with whom the organisation shares data). In the European Union, the DPO acts as the link between the organisation and the government agency that oversees data-related work. The EU DPO reports directly to the Microsoft Privacy Director, Microsoft Legal and Corporate Senior Executives. While the role of the DPO has many responsibilities, they are not personally responsible for not complying with the GDPR.   

While the DPO is not personally responsible for compliance (Article 4.7 of the GDPR places the responsibility on the controller and data processor), the DPO plays a crucial role in ensuring compliance. The GDPR requires a DPO to perform its functions independently and cannot be penalised or fired for performing those functions. Independence. Since the DPO must be free from any conflict of interest, its independence allows them to challenge processes, increasing control and avoiding regulatory violations. Preamble 97 states that the DPO must have no conflict of interest and be able to perform its duties and tasks independently, and the DPO must be able to perform its duties as it sees fit, without any influence from the board of directors or others. within the organisation.

   

As the name implies, DPOs must be fully involved in all matters related to the protection of personal information, and the GDPR requires organisations with DPOs to involve them in all data protection impact assessments for new processing. Data controllers and data processors are obliged to ensure that the DPO is properly and promptly involved in all matters related to the protection of personal data. Where the processing of personal data is particularly complex or risky, the knowledge and skills of the DPO should be sufficiently developed to ensure effective controls.

   

Due to the high level of responsibility for data protection and the GDPR, the designated DPO must have a high level of expertise in the law, practice, and compliance with the GDPR. Where the designation of a DPO is not mandatory, it is encouraged by regulation as an example of best practice and demonstration of compliance. Although the GDPR does not require a DPO, many organisations choose an employee to serve as a DPO without being formally awarded that title.

   

The DPO must designate a person who complies with Articles 37-39 for the purposes of the UK GDPR. The UK GDPR makes it clear that an organisation must appoint a DPO to carry out the tasks required by Article 39, but this does not prevent it from appointing other data protection officers as part of the team to support the DPO. Therefore, you need to decide whether appointing a full-time DPO is the best way to ensure that your organisation is GDPR compliant, or if you would consider other options: part-time, joint or external consultants.

   

The DPO must have extensive industry experience to understand other roles within the organisation that are suitable for collaboration. DPOs must also have a reasonable understanding of the organisational and technical arrangements being made by the organisation and be familiar with information technology and data security.

   

Without looking for a GDPR-savvy candidate per se, understanding this de facto standard for data privacy requirements is what many employers will use to assess eligibility for a DPO position. While the GDPR does not list specific qualifications, the GDPR stipulates that the level of knowledge and experience required of an organisation's DPO should be determined based on the complexity of the data processing operations being performed.

   

Article 38(2) GDPR requires organisations to support their DPOs by "providing the necessary resources to carry out [their] tasks and access personal data and processing operations, and to maintain their expertise". Section 37.5 requires the DPO to be a professional proficient in data protection law and practice. Typically, a DPO is an IT (security) professional or specialist with a law degree, but that's not the rule.

   

The DPO role requires that eligible candidates have at least seven years of professional experience in data protection, or a combination of 10 years of experience in data protection, security, and business risk management. Career advancement to DPO can reasonably be obtained after more than 10 years of experience in various privacy disciplines (e.g. privacy policy and program, privacy law, information management, incident response, information security, training and awareness, etc. DPO legal status A DPO has the same legal status whether the appointment is voluntary or mandatory, and organisations will be subject to the same sanctions if the role of DPO is not properly performed.

   

Useful Links:


https://www.dummies.com/article/technology/cybersecurity/10-must-have-skills-for-the-data-protection-officer-267842/

https://www.itgovernanceusa.com/the-data-protection-role-(dpo)-under-the-gdpr

https://easternpeak.com/definition/data-protection-officer-dpo/

https://www.privacycompliancehub.com/gdpr-resources/when-to-appoint-a-data-protection-officer/

https://insights.ascentor.co.uk/blog/2017/06/gdpr-data-protection-officer-dpo   

https://cybersecurityguide.org/careers/data-protection-officer/

https://www.itgovernance.eu/blog/en/what-qualities-does-a-data-protection-officer-dpo-need

https://dataprivacymanager.net/who-is-a-data-protection-officer-roles-and-responsibilites/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/

https://www.siliconrepublic.com/careers/data-protection-officer-gdpr

https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-data-protection-officer

https://www.icaew.com/technical/legal-and-regulatory/information-law-and-guidance/data-protection/data-protection-articles/so-who-wants-to-be-a-data-protection-officer

https://www.skillcast.com/blog/appointing-data-protection-officer-dpo

https://gdpr.eu/data-protection-officer/  

https://degree.astate.edu/articles/media-management/data-protection-officer-skills.aspx   

https://www.gdpreu.org/the-regulation/key-concepts/data-protection-officer/

https://cybeready.com/the-roles-and-responsibilities-of-a-data-protection-officer